From the perspective of gathering evidence, they just record enough to get a warrant to sieze the machine of

On Fri, 20 Dec 2002, Ted Hardie wrote: :"exchange point routing tables" seems to assume that the exchange :point operator is operating at Layer 3. The most popular exchanges at :the moment (PAIX, LINX, EQIX) seem to be layer 2 (GigE) or layer 1 :(fiber strung from cage to cage, you run what you want over same). My mistake, but I was just using routing tables as an example of how the redirection could be done on layer 3. It's important that the layer 3 traffic be redirected so that full sessions can be captured, instead of simply sniffing a span port and hoping that you get everything. the suspect, and all the physical evidence will be there. For example, IDS logs have varying levels of reliability, but their value is that they pinpoint and coroberate the source of physical evidence in the event of an incident. Asymmetric routes cause problems for IDS's that just watch a span port or use a tap, as sessions get lost and alerts can't be correlated as easily. The idea being that a sensor sees a trigger, it alerts, and either the source gets staticly routed to a tunnel interface, or, depending on capacity and where the sensor is located, it just routes the traffics source network through the monitoring network. It's like diverting part of a stream. From what we have been seeing in the papers, it isn't the data collection that is the difficult part anyway, it's the administrative overhead and knowledge management that needs all the resources. When people criticize these plans, they tend to attack the challenges of data collection. I think the technical challenges that data collection poses are overblown and serve as kind of a red herring that diverts attention from the larger ethical (non-operational) problems of data aggregation and response. -- batz